The JPC for PDPB decided to include parts of Non Personal Data regulation within the provisions of the DPA 2021. In the process a situation of overlapping jurisdiction was created between the ITA 2000 and DPA 2021. Earlier with Section 43A of ITA 2000 being replaced by PDPB2019 gave a clear distinction between “Personal Data Regulation” under PDPB 2019 and “Non Personal Data Protection” under ITA 2000 with the possible “Non Personal Data Governance” under a new act as suggested by Kris Gopalakrishna report.
In a bid to avoid creating a Non Personal Data Governance Authority of India, the JPC decided to make the DPAI also responsible for Non Personal Data to the extent of Breach notification. This left the door for future regulation on “Non Personal Data Governance” also with the DPAI.
Without going into the merits of whether an authority which is “Privacy Protection Oriented” would be the right authority for “Monetization of Data” which would be the essential part of the Non Personal Data Governance Act, we can note that the decision of the JPC has created overlapping of DPA 2021 with ITA 2000.
ITA 2000 essentially applies to data of all kinds and hence it applies both to personal data and non personal data. To the extent DPA 2021 deals with “Reasonable Security Practice” which was earlier under Section 43A, there is no overlapping of provisions. DPA 2021 also does not cover criminal offences which are covered under Chapter XI of ITA 2000/8. The only offensive section under DPA 2021 could have been covered under ITA 2000 itself. This section (Section 83) under DPA 2021 relates to “Unauthorized modification of de-identified data back to identified data and thereby diminishing the value of de-identified data” and can be covered under ITA 2000 under Section 43(i) read with Section 66.
If this section 83 DPA 2021 had been removed, DPA 2021 could have remained entirely a “Section 43A supporting compliance legislation”. This would have maintained the two legislations distinct.
Now that JPC did not factor the existence of a statutory body called CERT-IN, it appears that CERT-IN has decided that it would announce its statutory status and published the latest data breach notification directive of April 28, 2022.
The industry representatives have already got perturbed and ran to the Minister to complain that this would affect the Privacy which he has correctly defended. (Refer indianexpress here)
The recent directive has asserted the power of CERT-IN and hence it cannot be challenged even after DPA 2021 is enacted.
However, a potential conflict situation between DPAI and Director General CERT-IN may arise and both need to show statesmanship in collaborating with each other. Though the CERT-IN and DPAI may resolve their differences, it is likely that the industry will play one against the other for their own advantage and project CERT-IN as an “Official of MeitY” and not to be respected like a DPAI which has 7 august members with expertise in different areas such as Law, Technology, Data Science etc.
In order to prevent the weakening of the perceived role of CERT IN, it is necessary for the Meity and CERT-In to strengthen its perceived position. One suggestion in this regard is given below.
- An Advisory Committee should be established by a gazette notification under the chairmanship of Director General, CERT-IN.
- The committee shall have at least Six members consisting of experts in the area of Cyber Law, Technology Data Science, Data Security, National Security, grievance redressal experience (Example Arbitration, etc, or a lawyer who is eligible for being appointed as a Judge of a High Court).
- The Committee shall meet as often as necessary either through virtual meetings or physical meetings and provide its views on various issues on which the CERT-IN needs to take decisions, in particular when action is to be initiated against an entity under Section 70B(7)
- The committee shall also recommend to the CERT-IN to initiate a complaint with a relevant Adjudicator (Under section 46 of ITA 2000) to undertake an inquiry as per the Information Technology (Qualification and Experience of Adjudicating officers and manner of holding enquiry) rules 2003.
Under the above suggestion the CERT-IN and his advisory committee will match the expertise of the DPAI in terms of experience and skills so that any interaction between the CERT-IN and DPAI shall take place with two nearly equally empowered regulatory authorities.
Also under Section 70B(7) action may be initiated by the CERT-IN against any entity that contravenes the directions of the CERT-IN or otherwise fails to report a data breach, by recommending prosecution for a punishment of imprisonment upto 1 year and a fine of Rs one lakh.
Under Section 70B, it may be difficult to impose any penalty on any entity as a deterrent. Such power under ITA 2000 vests only with the adjudicator who can take either a “Suo Moto” cognizance of a contravention of ITA 2000 or act under a complaint which can be filed by any person who can claim compensation for a loss suffered.
If there is a data breach, there would be some affected person who may or may not come forward to file a complaint with the Adjudicating officer. But the Adjudicating officer coming to know of a contravention (which may be through a report submitted by the CERT-IN) can initiate an inquiry. If the inquiry finds that there has been a contravention and there has been a wrongful loss to some body and wrongful gain to some body else, he can order collection of penalty from the person responsible for the loss and hold it in trust for the claims that may arise from any affected victim.
Since the notification of ITA 2000 on 17th October 2000 and the creation of Adjudicating officers through notification of 25th march 2003, there have not been any published reorts of Adjudicating officers imposing fines except on specific complaints preferred by some complainants.
There could be some cases where the Police have sought the assistance of the Adjudicating officer (eg: Karnataka) where fines have been imposed on Cyber Cafes under Section 45 of ITA 2000 (Residual penalty) which must have been appropriated by the Government as if it is a penalty imposed for a criminal offence. Such cases have not been widely reported.
Now CERT-IN needs to take the responsibility to advise the relevant Adjudicating officer (the IT Secretary of the State where the victim of a contravention resides) that there has been a data breach in his jurisdiction and it warrants a suo moto inquiry and deterrent action.
It is noted that the Minister of IT, Sri Rajeev Chandrashekar has reported today that there is also an attempt to amend the ITA 2000/8 and a draft would be presented for public comments within a month. If required, some of the changes suggested above of creating an Advisory body for the Director General CERT-IN can be formally introduced into the Act.
It may also be noted that ITA 200o envisaged a committee called “Cyber Advisory Committee” which has to endorse any amendment to the Act as per section 88 of ITA 2000. It can also be recalled that the Controller of Certifying Authorities had created one such advisory committee in the year 2000 of which the undersigned was also a part. There was also an Inter-Ministerial working group of which also the undersigned was a part. These committees had limited existence and subsequently most decisions are being taken by the executives in MeitY. Many of these decisions including the Intermediary Guidelines of 25th February 2021 have been systematically challenged in the Supreme Court and inefficient handling of the Shreya Singhal petition lead to Section 66A being scrapped by the Supreme Court without a proper replacement of the provisions as was promised by the then IT Minister.
The creation of the CERT-IN Advisory board will therefore provide a legal strength to the decisions given out by the Director General of CERT-IN. It could become a “Shadow DPAI” so that any data breach related directions for non personal data under section 25 of the proposed data protection act (DPA 2021) can be issued by CERT-IN instead of by the DPAI.